Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

It’s not hard for secrets to sprawl, buried under layers of commits and forgotten branches. Most teams don’t notice it until one bad push exposes everything. Secret leaks don’t come from breaches, but from configuration drift and forgotten credentials; a gap that traditional vault tools struggle to close on their own. Here’s the scale of that mess. Machine identities now outnumber human users by more than 80 to 1, and each one relies on credentials to function.

When Anthropic dropped the Model Context Protocol (MCP) in late 2024, it felt like the missing puzzle piece for AI tooling: a standard way for Large Language Models (LLMs) to talk to data sources, APIs, and pretty much anything else you can think of. Think of it as a USB-C port for AI, as the protocol’s creators like to say. But like most shiny new standards, the devil’s in the details.

When it comes to distributing PHP applications, discussions often swing between two extremes: fully open-source everything or lock all your code behind encryption/encoding. Critics of encoding often argue that open source is superior because users can still inspect and customise code. But the truth is far more nuanced, and the most successful software vendors already know it.

Let’s catch up on the more interesting vulnerability disclosures and cyber security news gathered from articles across the web this week. This is what we have been reading about on our coffee break! I’m sure techs were hoping for a gradual wind down for the holiday season…

Phishing remains one of the most common cyber threats, affecting users across industries and regions. It targets human behavior rather than technology, which makes it more effective than many other attack methods. Now, attackers are using advanced tools, like AI, to make phishing more effective. To know how to avoid phishing attacks, you must understand how they work and the different forms they take.

An API token is like a small digital key that tells a system that a user or an app is allowed to act in the system. When this key gets stolen, attackers act as real users and misuse the account. It’s called API token hijacking, and this issue has grown in the last few years. Most companies are not able to detect this problem in time. It’s important for IT/security teams to understand token theft to respond quickly and build stronger protection for future attacks.

In 2025, we engineered a truly new era of modern DAST. We unlocked next-gen assessments with “infinite” payloads, eliminated the trade-off between broad attack surface visibility and deep application testing, and found the ultimate balance between human ingenuity and machine intelligence with our AI Researcher, Alfred. The result? A modern DAST product that delivers unmatched innovation and accuracy in the AppSec space.

This is a predictions blog. We know, we know; everyone does them, and they can get a bit same-y. Chances are, you’re already bored with reading them. So, we’ve decided to do things a little bit differently this year. Instead of bombarding you with just our own predictions, we’ve decided to cast the net far and wide. We’ve spoken to cybersecurity experts from around the world to answer what’s, for us, the most pressing question of all.

JSCEAL is an information stealer that’s been targeting users of cryptocurrency applications. As reported by Check Point Research (CPR) in July 2025, JSCEAL has developed into a more advanced form. In a new campaign observed by Cato CTRL in August 2025, JSCEAL has adopted a revamped command-and-control (C2) infrastructure, enhanced anti-analysis safeguards, and an updated script engine designed for increased stealth. The campaign remains active.

Why we’re bringing Zero Standing Privileges to M365, and why it matters. In the past decade, we collectively agreed that standing access to infrastructure is a security failure. No credible security team allows permanent root access on production servers or standing SSH keys for cloud instances. We built vaults, we implemented session recording, and we moved to Just-in-Time (JIT) access for infrastructure.